|Bob Gourley moderates cyber security panel with Intelsat CIO Vinit Duggal, Thales Avionics CTO Fred Schreiner, and Cobham DIrector of Strategic Initiatives Nils Helle.
[Avionics Magazine 06-07-2016] On the second day of the Global Connected Aircraft Summit 2016, a panel of aerospace experts from Cobham, Intelsat and Thales provided updates on the best practices that the entire aviation industry can use to bolster cybersecurity and protect connected aircraft technologies against intrusion. With nearly every airline across the globe considering introducing forms of internet connectivity onto their aircraft in the near future, the industry is starting to conceptualize a more formal approach to protecting critical aircraft systems from threats. However, as the panel noted, that approach will come with challenges.
In 2015, two major occurrences happened within the industry that really introduced a lot of mainstream media hype and general concern among airlines, regulators and avionics manufacturers about protecting aircraft from cyber threats. There was the claim made by professional hacker Chris Roberts that he was able to use cabin-based In-flight Entertainment (IFE) system to control a Boeing 777 engine while in flight. Additionally, the Government Accountability Organization (GAO) released a report noting major risk associated with both Air Traffic Control (ATC) technology and onboard avionics systems as the applications and technology associated with Internet Protocol (IP) on aircraft continue to increase and reach critical mass. Since then, awareness of the possible threats from introducing more Internet Protocol (IP) onto aircraft has increased, especially among regulatory agencies, lawmakers, airline passengers and mainstream media outlets.
|Nils Helle, Director of Strategic Initiatives at Cobham; Vinit Duggal, CIO at Intelsat, Fred Schreiner, Chief Technology Officer at Thales Avionics.
Fred Schreiner, chief technology officer at Thales Avionics, provided the Global Connected Aircraft Summit 2016 audience with several updates on what is being done from a regulatory and certification standpoint to ensure that all possible cyber threats to IP-based cabin and cockpit aircraft technology are being addressed. Thales is one of several companies that are part of an FAA Aviation Rulemaking Advisory Committee (ARAC) formed last year. The committee is tasked with developing new recommendations specifically addressing Aircraft Systems Information Security Protection (ASISP) certification and continued airworthiness on airplanes and aircraft. The FAA wants to use this committee to standardize industry practices around protecting aircraft systems from cyber threats.
"We have two seats on the FAA rulemaking committee that is looking at regulations regarding cybersecurity standards. What is happening is that the industry represented on the panel does not want to be over regulated. The industry’s perspective is that we are responsible, ... and by the nature of our business we need to be responsible and cybersecurity aware and take measures, and so the FAA is working with that team to review and the recommendation will come up in July," said Schreiner.
He also provided some perspective on U.S. Senator Edward Markey's proposed Cybersecurity Standards for Aircraft to Improve Resilience Act of 2016. This legislation was introduced by Markey in April, and would require the disclosure of information relating to cyber attacks on aircraft systems and establish standards to identify and address cybersecurity vulnerabilities to the United States commercial aviation system. The bill also seeks a report to study cybersecurity vulnerability associated with consumer Wi-Fi on aircraft, according to a press release regarding the bill on Markey's website.
"Senator Markey sent a letter to all the U.S. airline CEOs in December last year, plus Airbus and Boeing, asking 20 questions about cybersecurity and they have published some of those responses in the public domain. Their interpretation was that it was rather inconsistent in the way cyber matters are handled by airlines. So this caused some concern by the FAA. While the industry is trying not to be over regulated, the Senate's technical subcommittees are moving to put more teeth into the FAA’s positioning on that. Where that will end up, we are not sure but it’s a dynamic situation and will take some time," said Schreiner.
Nils Helle, director of strategic initiatives at Cobham, also gave the audience some updates on new ARINC standards that are designed to address cyber threats on aircraft as well. Specifically, Helle spoke about ARINC 781 attachment 8, and ARINC 771. Cobham's Aviator S series is one of the leading examples of industry innovation around the use of IP for the transfer of aircraft data between aircraft and ground automation systems, or more specifically Aircraft Communications Addressing and Reporting System (ACARS) data. Aviator S features a Compact Satellite Data Unit (C-SDU) with aircraft domain segregation architecture according to ARINC 781 Attachment 8. Still, Helle, feels the standards development for aircraft cybersecurity is not occurring at the same pace of industry innovation.
"It’s not happening fast enough. We have to wait until some of these standards are laid down before we start planning and designing and developing. Before we actually had our first product [Aviator S] out, the ARINC 781 standard attachment 8 that deals specifically with security matters, new requirements were developed for that and we had to ensure our system complied with them. And right now there is an ARINC 771 standard, which is the Iridium variant for satcom safety equipment, and there are additional requirements there that we have not adapted yet but we have to take it into consideration the best we can," said Helle.
During the panel discussion, Intelsat Chief Information Officer (CIO) Vinit Duggal also recommended that airlines start taking advantage of new technologies that would allow them to get a more real time view of cyber intrusion attempts performed by passengers on their aircraft. He and the other two panelists also told the audience to be aware that hackers are becoming more sophisticated in their practices. Today’s hackers have access to free online hacking tools and code readers that can be easily searched on the Internet. A specific example of a new age hacker tool is the Wi-Fi Pineapple, which is a wireless platform small enough to fit in an overhead bin and can be used to connect unsuspecting passengers to what appears to be the airline facilitated Wi-Fi, where they can then spy on their Internet activity.
"We are moving from a closed IFE environment to a real open communications environment that is going to open the threat landscape. Some of the things we have to figure out are how are we monitoring the situational awareness of an aircraft, who is responsible for that? Is it the airline? Is it the service provider? Who is responsible and how is that happening?" said Duggal. "The goal is to start protecting proactively and not get into this reactive state where you’re chasing the threat, that’s impossible to do you’re never going to win that battle."